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ABSTRACT 



^^th^nticating~a-remote process operating in an address 
^ace-different-than.thatof a local process includes the stepsi 
of creating, by the local processpa tamper resistant module 
containing a temporary secret, sending the tamper resistant 
module and a challenge from the local process to the remote 
process, executing^ the tamper resistant module by the 
reji^oje^pj^cessand recovering the secret when the integrity 
of the remote process is verified by the tamper resistant 
module, encoding the challenge using the secret to produce 
a response, sending the response to the local process, and 
decoding the response by the local process. Option ally,lne 
tamper resistant module includes a request foF information 
from--the~second ^process _and_ the response includes -the 
^answer to the request for information. - — s 
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METHOD FOR STRONGLY DETAILED DESCRIPTION OF THE PRESENT 

AUTHENTICATING ANOTHER PROCESS IN INVENTION 

A DIFFERENT ADDRESS SPACE T t . , „ . . . 

In the following description, vanous aspects of the 

BACKGROUND OF THE INVENTION present invention will be described. However, it will be 

1. Field of the Invention apparent to those skilled in the art that the present invention 
The present invention relates generally to remote security ma y be P racticed with °nly some or all aspects of the present 

protocols in computer systems and more specifically to a invention. For purposes of explanation specific numbers, 

challenge-response protocol for ensuring the authenticity of materials and configurations are set forth in order to provide 

a process operating in a different address space. 10 a thor ° u S h understanding of the present invention. However, 

2. Description of Related Art U Wlll , also be a PP arenl *° one ^ * the art that the 
^ . . r r • , n present invention may be practiced without the specific 
Current methods of performing challenge-response pro- delails ,„ Qther ^ knQwn features ^ 

tocols .n a cryptographic system require the names or or ^ Hfled jn order not t0 obscure (he t invemion 

processes performing the protocol to share a high-value - . 

persistent secret or both parties must process appropriate « FIG. 1 is a diagram of two processes communicating with 
pieces of two asymmetric key pairs. In both of these each other in a secure manner according to the present 
scenarios, prior communication of the secrets between the ipvcsnuon. FIG- 1 shows two processes, Process A 10 and 
parties or knowledge of the public component of the other Pr ° cess B 12 ' Processes do not share an address space 
party's key pair is required. Most versions of such and may or may not exist on the same processor or computer 
challenge-response protocols are vulnerable to "man-in-the- 20 system. Typically, the processes will be parties to a trans- 
middle" attacks, which are particularly problematic if the a ^ ll0n 1 su ^ h 38 for electronic commerce, wherein Process B 
two parties are communicating over a network. Hence, 12 ask f ? [ occs * A 10 for a service t0 be Performed. An 
general challenge-response protocols prove only that a veri- exam P le of such a service 15 a consumer purchase, although 
fied channel between two endpoints sharing a secret has ^ transaction desired to be secure involving two parties 
been set up, but one of the endpoints could be insecure. It 25 f™*** b V a network 15 contemplated. Before Process A 
would be better if one party could authenticate the other Pro L cess ?' s re 9 uesl for service > Process A to 
party to ensure that the other party has not be tampered with establish the authenticity and verify the integrity of Process 
or "hacked", as opposed to just validating that the other R Auth enticity means that the entity purporting to be 
party shares the secret. This can be done when the parties Pro f ss B 15 actuall y Process B and not a fraudulent "man 
share the same address space by checking the contents of 30 m the middle attacker. Integrity verification means that 
memory of the other party, computing its digital signature, Process B has not bcen altered or "nacked" in any way. In 
and verifying its integrity. However, this cannot be accom- an embodiment of the present invention, Process A creates 
plished across different process address spaces unless the a tam P er re r s * taot module * 4 that 15 ca P abIc of verifying the 
memory is shared. Various challenge-response protocols and mte 6 ntv of Process B ' ™ e tam P er resistant module 15 a 
their deficiencies are described in "Applied Cryptography", 35 small piece of executable software that can be easily corn- 
by Bruce Schneier, second edition, 1996. What is needed is mumcated from one process to another and executed by a 
a protocol that overcomes the above problems and deficien- receiving system. Process A creates a temporary secret, 
cies of the prior art by securely communicating a required u m the tam P er resistant module t0 Process B such 
secret as part of an authentication process such that the tbat the tam P er resistant module wil1 onlv reveal the secret 
secret can be a nonce of no persistent worth and wherein the 40 |f Process B's credentials and actual image in memory agree, 
secret need not be previously communicated. Pracess B s credentials may be sent along with the tamper 

resistant module if Process A learns of Process B's creden- 

SUMMARY OF THE INVENTION tials beforehand, or they may be examined at Process B's 

An embodiment of the present invention is a method for system by the tamper resistant module (i.e., the location of 

authenticating a first process operating in an address space 45 tne credentials on process B's system could be passed as an 

different than that of a second process. The method includes argument to the tamper resistant module before it is 

the steps of creating, by the second process, a module executed). The credentials typically will be a predetermined 

containing a secret, sending the module and a challenge signed manifest of Process B's code image, 

from the second process to the first process, executing the Tamper resistant software is software which is resistant to 

module by the first process and recovering the secret when 50 observation and modification. It can be trusted, within 

the integrity of the first process is verified by the module, certain bounds, to operate as intended even in the presence 

encoding the challenge using the secret to produce a of a malicious attack. Tamper resistant software must be 

response, sending the response to the second process, and position independent and not require relocation in memory, 

decoding the response by the second process. Therefore, tamper resistant software does not have to run in 

BRIEF DESCRIPTION OF THE DRAWINGS 55 me same address space or processor in which it was created. 

The software is generated by using a tamper resistant 

The features and advantages of the present invention will compil er (not shown). The tamper resistant compiler is a 

become apparent from the following detailed description of compilcr that> when applied t0 a well prepare(j software 

the present invention in which: module, replaces the plain-text source code compiler gen- 

FIG. lis a diagram of two processes communicating with 60 eratec j j mage w j th a new ; mage that is obfuscated. This 

each other in a secure manner according to the present self-decrypting software will only execute properly if no 

invention; part 0 f me i ma g e has been altered from the time it was 

FIG. 2 is a flow diagram of the steps for authenticating compiled by the tamper resistant compiler. The tamper 

another process according to the present invention; and resistant compiler is a software approach towards providing 

FIG. 3 illustrates a sample computer system suitable to be 65 kernels of software with the ability to run in a "hidden" 

programmed with the authentication method in accordance execution mode. Attempts to decipher what the software is 

with embodiments of the present invention. actually doing, or modifications made to the software, will 
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result in the complete failure of the kernels (i.e., it will not 
decrypt properly). 

The tamper resistant module 14 includes an Integrity 
Verification Kernel (IVK). An 1VK is software that verifies 
that a program image corresponds to a supplied digital 
signature. This provides a robust mechanism for detecting 
changes made to executing software, where those changes 
might be caused by transmission errors or malicious attacks 
to the software. Any change to the software results in a 
failure in the verification process. IVKs for tamper resistant 
software are constructed to perform self -checks of object 
code, bilateral authentication of partner modules, and checks 
on local and remote data to verify the integrity of a software 
module. The IVK is self-modifying, self -decrypting, and 
installation unique. Two interprocess software modules 
requiring to communicate with each other can establish that 
the module one is calling is indeed the one it is expecting by 
computing the digital signature of the called module and 
comparing the computed signature against a predetermined 
value. This process is called bilateral authentication. In the 
present invention, the IVK is used to verify the integrity of 
Process B. Detailed methods for creating the tamper resis- 
tant module and providing integrity verification processing 
with IVKs and bilateral authentication are disclosed in 
pending U.S. patent applications entitled "Tamper Resistant 
Methods and Apparatus", Ser. No. 08/662,679, and "Tamper 
Resistant Methods and Apparatus", Ser. No. 08/924,740, 
both of which are commonly assigned to the same entity as 
the present invention and are incorporated herein by refer- 
ence. 

The tamper resistant module 14 also contains a secret 16 
which the tamper resistant module will not divulge until the 
integrity verification for Process B 12 is a success. The 
secret can be any arbitrary digital value selected by Process 
A. Process A 10 passes the tamper resistant module 14 
containing the secret to Process B 12, along with a challenge 
18. The tamper resistant module can be sent to Process B 
before the challenge, after the challenge, or simultaneously 
with the challenge. Process B then executes the tamper 
resistant module on its own system. The tamper resistant 
module is very difficult to examine or change while it is 
being executed. If the tamper resistant module runs properly 
and Process B's current image in memory is successfully 
verified according to the signed manifest of Process B's 
image 17, then Process B recovers the secret and uses the 
secret to encode the provided challenge to produce the 
appropriate response. Thus, response 20 includes an 
encrypted challenge E(challenge) 22. The response is sent 
back to Process A. Process A, already knowing the secret, 
decrypts the encrypted challenge. If the response is what 
Process A expects, then Process A knows that Process B is 
authentic and its integrity is intact. Further interaction 
between the parties can then commence. 

The present invention is more effective if the secret 16 is 
a temporary, low value secret that is only used once. It is 
preferable that the secret is a nonce of no persistent worth. 
Therefore, Process A changes the secret for every challenge- 
response sequence. Additionally, a time out mechanism can 
be employed in Process A such that response 20 must be 
returned within a specified short time period. This deters a 
malicious user at Process B from intercepting the tamper 
resistant module and challenge and attempting to break the 
inherent security described herein, because the attack cannot 
be successfully carried out in the allotted time, if ever. 
Optionally, Process A can also request information from 
Process B as part of the challenge. The information is then 
encoded in response 20 back to Process A along with the 
challenge. 
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FIG. 2 is a flow diagram of the steps for authenticating 
another process according to the present invention. At step 
100, Process A creates a tamper resistant module containing 
a secret. The secret may be any arbitrary digital value known 

5 to Process A. Preferably it is a temporary, low-value secret 
such as a newly generated random number. At step 102, 
Process A transmits the tamper resistant module containing 
the secret, a challenge, and optionally, a request for infor- 
mation to Process B. Next, at step 104, Process B executes 

30 the tamper resistant module, thereby recovering the secret if 
Process B's digital signature computed by the executing 
tamper resistant module corresponds to a signed manifest for 
Process B's image. If the Process B's image failed to verify 
according to the signed manifest, then the tamper resistant 

15 module detects tampering or another error condition, and no 
further processing is performed by either Process A or 
Process B. Process A then assumes that Process B is not 
authentic or that a malicious user has attempted to "hack" 
the tamper resistant module. Otherwise, Process B encodes 

20 the challenge received from Process A to produce the 
response at step 106. The encoding operation includes 
performance of any suitable cryptographic algorithm using 
the secret as the key. At step 108, Process B encodes the 
answer to Process A's request for information, if necessary. 

25 Next, Process B sends the response and optional answer 
back to Process A at step 110. Finally, at step 112, Process 
A decodes the response to validate B and optionally, learns 
the answer to its information request. If the decoded 
response contains the challenge Process Asent to Process B, 

3Q then Process B has been authenticated. 

One skilled in the art can see that the present invention 
securely sends the secret as part of the tamper resistant 
validation process, and that the secret can be a nonce of no 
persistent worth. Furthermore, the secret was not required to 

35 be shared ahead of time by the communicating processes, 
and two asymmetric key pair components were not shared 
by the processes. 

In the present invention, the party desiring authentication 
of a remote process sends an agent (i.e., the tamper resistant 

40 module) to the remote process to determine authenticity. 
This agent is constructed in such a way that it cannot be 
changed by a malicious user. One limitation, however, of the 
embodiment shown is that Process A must be able to 
construct a tamper resistant module that can be executed on 

45 Process B's operating system and processor. If the operating 
systems and underlying processors are the same (for 
example, WINDOWS NT or WINDOWS 95 operating 
systems available from Microsoft Corporation, Redmond, 
WA, and PENTIUM® or PENTIUM® II processors, avail- 

50 able from Intel Corporation, Santa Clara, Calif.), then a 
tamper resistant module created by one party will be a valid 
executable on the other party's system. 

The present invention could also be used in a bilateral 
manner, wherein Process A authenticates Process B and 

55 Process B also authenticates Process A. Both authentications 
are performed using the above described embodiment. That 
is, each process sends the other a tamper resistant module 
and challenge, and the receiving party must send back the 
correct response to the other party. Thus, each party trusts 

6o the other party for further communications. 

FIG. 3 illustrates a sample computer system suitable to be 
programmed with the authentication method in accordance 
with embodiments of the present invention. Sample com- 
puter system 200 may be used to execute processing steps 

65 described above for Process A, Process B, or both. When 
Process A and Process B are on systems remote from each 
other, Process A is executing on a first sample computer 
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system and Process B is executing on a second sample 
computer system connected to the first sample computer 
system via a network. Sample computer system 200 includes 
Central Processing Unit (CPU) 202 and cache memory 204 
coupled to each other through processor bus 205. Sample 
computer system 200 also includes high performance I/O 
bus 208 and standard I/O bus 218. Processor bus 205 and 
high performance I/O bus 208 are bridged by host bridge 
206, whereas high performance I/O bus 208 and standard 
I/O bus 218 are bridged by I/O bus bridge 210. Coupled to 
high performance I/O bus 208 are main memory 212 and 
video memory 214. Coupled to video memory 214 is video 
display 216. Coupled to standard I/O bus 218 are mass 
storage 220, and keyboard and pointing devices 222. 

These elements perform their convention functions well 
known in the art. In particular, mass storage 220 is used to 
provide permanent storage for the executable instructions of 
the authentication and tamper resistant programs/ 
applications, whereas main memory 212 is used to tempo- 
rarily store the executable instructions of authentication and 
tamper resistant programs/applications during execution by 
CPU 202. 

While this invention has been described with reference to 
illustrative embodiments, this description is not intended to 
be construed in a limiting sense. Various modifications of the 
illustrative embodiments, as well as other embodiments of 
the invention, which are apparent to persons skilled in the art 
to which the inventions pertains are deemed to lie within the 
spirit and scope of the invention. 

What is claimed is: 

1. A method of authenticating a first process operating in 
an address space different than that of a second process 
comprising: 

creatingvby-the second-process^a'tamper relisTa^Trnl^uTe 

'—containing a secret; — ' 

,sending th^lamperresistant module and a challengefrom 

the-sec^fprocess to the first process; J 

executing the tamper resisfanTmodule by the first process 
and recovering the secret when the integrity of the first 
process is verified byjhe~tamper~resistant module; 
encoding-the^cHallenge usingjhe secret to produce-ia 

I— response ; _ . - - - , J ~_ ^ ^ 

isendingahe response to the second process;~and 
decoding-the :respprisTby the second process: 1 ^ 

2. Thc-method-oLclair^lTwlierein the tamper resistant 45 
module comprises an integrity verification kernel to verify 
the integrity of the first process. 

3. The method of claim 1, wherein the secret is used only 
once. 

4. The method of claim 1, wherein the secret is a nonce 50 
of no persistent worth. 

5. The method of claim 1, further comprising determining 
that the first process is not authentic when the response is not 
received within a predetermined period of time. 

6. The method of claim 1, wherein the first process is 55 
verified by the module when a digital signature of the first 
process determined by the module corresponds to a signed 
manifest of the first process. 

7. The method of claim 1, wherein the challenge com- 
prises a request for information from the first process. 60 

8. The method of claim 7, further comprising encoding an 
answer to the request for information in the response. 

9. The method of claim 8, further comprising decoding the 
answer by the second process. 

10. An apparatus for authenticating a first process oper- 65 
ating in an address space different than that of a second 
process comprising: 
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a processing unit for executing programming instructions; 
and 

a storage medium having stored therein a plurality of 
programming instructions of the second process to be 
executed by the processing unit, wherein when 
executed, the plurality of programming instructions 
create a tamper resistant module containing a secret, 
create a challenge, send the tamper resistant module 
and the challenge to the first process, receive a response 
to the challenge from the first process, and decode the 
response. 

11. The apparatus of claim 10, wherein the tamper resis- 
tant module comprises an integrity verification kernel to 
verify the integrity of the first process. 

12. The apparatus of claim 10, wherein the challenge 
comprises a request for information from the first process. 

13. The apparatus of claim 10, wherein the secret is a 
nonce of no persistent worth. 

14. An apparatus for authenticating a first process oper- 
ating in an address space different than that of a second 
process comprising: 

a processing unit for executing programming instructions; 
and 

a storage medium having stored therein a plurality of 
programming instructions of the first process to be 
executed by the processing unit, wherein when 
executed, the plurality of programming instructions 
receive a tamper resistant module from the second 
process, initiate execution of the tamper resistant 
module, recover a secret embedded in the tamper 
resistant module when the integrity of the first process 
is verified during execution of the tamper resistant 
module, receive a challenge from the second process, 
encode the challenge using the secret to produce a 
response, and send the response to the second process. 

15. The apparatus of claim 14, wherein the tamper resis- 
tant module comprises integrity verification kernel to verify 
the integrity of the first process. 

16. The apparatus of claim 14, wherein the first process is 
verified when a digital signature of the first process deter- 
mined by the module corresponds to a predetermined signed 
manifest of the first process. 

17. The apparatus of claim 14, wherein the challenge 
comprises a request for information from the first process 
and the plurality of programming instructions further com- 
prise encoding an answer to the request for information in 
the response. 

18. An apparatus for authenticating a first process oper- 
ating in an address space different than that of a second 
process comprising: 

a processing unit for executing programming instructions; 
and 

a storage medium having stored therein a plurality of 
programming instructions to be executed by the pro- 
cessing unit, wherein when executed, the plurality of 
programming instructions create a tamper resistant 
module containing a secret, create a challenge, send the 
tamper resistant module and the challenge to the first 
process, initiate execution of the tamper resistant mod- 
ule in the address space of the first process, recover the 
secret embedded in the tamper resistant module when 
the integrity of the first process is verified during 
execution of the tamper resistant module, receive the 
challenge from the second process, encode the chal- 
lenge using the secret to produce a response, send the 
response to the second process, receive the response to 
the challenge from the first process, and decode the 
response. 
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19. An apparatus for bilateral authentication of local and 
remote processes comprising: 

a processing unit for executing programming instructions; 
and 

a storage medium having stored therein a plurality of 
programming instructions of a local process to be 
executed by the processing unit, wherein when 
executed, the plurality of programming instructions 
create a first tamper resistant module containing a first 
secret, create a first challenge, send the first tamper 
resistant module and the first challenge to a remote 
process, receive a first response to the first challenge 
from the remote process, decode the first response, 
receive a second tamper resistant module, initiate 
execution of the second tamper resistant module, 
recover a second secret embedded in the second tamper 
resistant module when the integrity of the local process 
is verified during execution of the second tamper 
resistant module, receive a second challenge from the 
remote process, encode the second challenge using the 
second secret to produce a second response, and send 
the second response to the remote process. 

20. A machine readable medium having stored therein a 
plurality of machine readable instructions designed to be 
executed by a processor, the machine readable instructions 
for creating a tamper resistant module containing a secret, 
creating a challenge, sending the tamper resistant module 
and the challenge to a remote process, receiving a response 
to the challenge from the remote process, and decoding the 
response. 

21. A machine readable medium having stored therein a 
plurality of machine readable instructions designed to be 
executed by a processor, the machine readable instructions 
for receiving a tamper resistant module from a remote 
process, initiating execution of the tamper resistant module, 
recovering a secret embedded in the tamper resistant module 
when the integrity of a local process is verified during 
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execution of the tamper resistant module, receiving a chal- 
lenge from the remote process, encoding the challenge using 
the secret to produce a response, and sending the response 
to the remote process. 

22. A machine readable medium having stored therein a 
plurality of machine readable instructions designed to be 
executed by a processor, the machine readable instructions 
for creating a tamper resistant module containing a secret, 
creating a challenge, sending the tamper resistant module 
and the challenge to a first process, initiating execution of 
the tamper resistant module in the address space of the first 
process, recovering the secret embedded in the tamper 
resistant module when the integrity of the first process is 
verified during execution of the tamper resistant module, 

' receiving the challenge from a second process, encoding the 
challenge using the secret to produce a response, sending the 
response to the second process, receiving the response to the 
challenge from the first process, and decoding the response. 

23. A machine readable medium having stored therein a 
3 plurality of machine readable instructions designed to be 

executed by a processor, the machine readable instructions 
for creating a first tamper resistant module containing a first 
secret, creating a first challenge, sending the first tamper 
resistant module and the first challenge to a remote process, 

' receiving a first response to the first challenge from the 
remote process, decoding the first response, receiving a 
second tamper resistant module from the remote process, 
initiating execution of the second tamper resistant module, 
recovering a second secret embedded in the second tamper 

J resistant module when the integrity of a local process is 
verified during execution of the second tamper resistant 
module, receiving a second challenge from the remote 
process, encoding the second challenge using the second 
secret to produce a second response, and sending the second 

' response to the remote process. 

* * * * * 
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sion continuity.overseveral transactions being conductedon 
the mtemet^securc.token is ma 

^sent-to~a-user-from-the-server-computer and^the-token- is^ 
^returned to tbe^server^with-each^submitted^transaction 
r«iuc^tr^The~tokenjs^^ 
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SYSTEM AND METHOD FOR SESSION A further advantage of the invention is that no special 

MANAGEMENT hardware or software is required at a participating client in 

BACKGROUND OF THE INVENTION order for the met h° d of the invention to perform satisfac- 

1. Field of the Invention K torUy ' ^ 

The present invention relates to/QeWoriented-pro^ advanta £* is that the Mentity-of-i -user-is 

grammed.apparatus and method for managing a user session / r ver ^ c Ajn^ach.reque_sJ_submitted by the user, without the 

on a network where^user application connections are not needJpi^the^user-to~resubjnit identity^information-and~aJ 

rmaintainedrMore partic^larly^me:present mvention^relates ^cjaor^cVpasswordjwt^each transactionjequest.^ 

Lto^ajoken validation apparatus andjnejkwj that is transpar-j These-and-other^adva£tages are obtained by the. instant 

/ent to the userand chenf application and is operable with any 10 invention through the^use^pf a unique token that is secure 

internet-client. — — — ~ ' from counterfeit and replay attacks. The token is created by 

2. Description of Related Art combining Jiser identity information with randorrTiriforma- 
One technique for conducting important transactions on a tion.and t able a ddress information in a way that has a high 

public network is to require that a user submit user identity attack work factor so that it can effectively not be duplicated, 

information and a password with every page or form sub- 35 To avoid disttacung.the^user, the token -is carried in a field 

milled to a server computer at an institution. This may be of me page4hat is normally not displayed in the presenUtion 

repetitive and tiresome to a user. Further, the more often that Requests submitted by the user automatically include 

these important values are communicated, the more exposed mLtoken^which-is-then compared at the server^with the 

they become to attack and therefore it is desirable to loken previo us ly mi out Xo the ^ No st 0 f ihcmcth ^ 

™Zm™*T r y occur at or accd * takcn b y me « r makin S thc 

» i . , , . . . . method transparent to thc user. The method and apparatus of 

Another known technique for conductmg imr^rUnt trans- ^ih^iotoierate to complement the transmission secu- 

acUons on a pubhc network mcludes secunng the-chent o^ ^V*^^a-hl/th* t c -/£ci \ 

user terminal^d-ehc^pting all important messages. A? y ^ SccUre Sock ^ ^ < SSL > ™W*<f* 

o^culty-wim-secu^ on-lhcjnterneMwth >a secure ^ user se^ion, . - J 

open architecture personal computers^ic^, un^^ BRIEF DESCRIPTION OF THE DRAWINGS 
Amatic teller machine, can not be secured. FuTtheTdifBculty 

^arises because new 'bTbwsef ^gra^ are being made- avails 1 is a high level diagram of the internet, 

able to the public all the time and ajinancial institution, for FIG. 2 is a block diagram showing the parts of the 

exa^le,^c~an not' control the features~of these-programs 30 invention 

beyond the basic stanoVrdValready being observed. Most of FIG. 3 is a block diagram of a computer which may be 

f wese^browscr programs.store^esin memory and allow used in carrying out the method and implementing the 

scrolling back and forth. Many oMhese browser programs apparatus of the invention 

f allow a page or folmTeceived from a financial institu-i FIG. 4 is a flow diagram showing the method of the 

Uon to be stored on disk for future reference. The existence 35 invention 

(of such* pages on an unsecured personal computer, for; _„ _ ' . . 

L example.aUa public library, may allow the next u^eTto^ . n u G - 5 shows * P ortlon of a form P a S c **>™in the token 

recover such information with minimal ha^eTkn^wledge^ nas becn ex P osed lo view - 

and submit the page in a replay mode, pretending.to belthe FIG - 6 snows a portion of a form page as it is displayed 

(jiuthorized user. If the page has been stored on disk^tjin 40 10 ^ authorized user for transaction selection, 

be^recovered at a later time even if -the computer has been ? shows a flow diagram of an alternate session 

^turned off. ~~~~ | ^ method according to the invention. 

fthTuse of encry^i6Tls~del^~ DESCRIPTION OF THE PREFFRRFH 

5^16,842 is implemented in min^ server -progranis^and D l^CR 1PTI ON OF mE PREFERRED 

/client browser.programs in the-form of the secure socket] 45 cmduuimcpi 

[hyer (SSL).JThis method by itself does not providesecure— ^ FIG. 1 portrays the overall environment wherein the 

session .cc^tinuity_at,an unsecured, terminal over me sequent invention finds utility. The cloud-like communication 

tial presentation and submission of.a number oLpages of a medium 11 is made up of communication lines and switches 

[ multi- page session^as provided by the instant uivention but connecting servers like server 13 to gateways like gateway 

only provides protection against those w^o would attack A 15. Server 13 and gateway 15 provide the communication 

oommu^cation^network. access to the world wide web internet. Server 13 may be 

UiSrPatr No. 5,237,614 jdescribes-a system based upon connected to an application server 17 as shown or may be 
limiting-access by a user to a client. at a jiserTocation and connected directly lo a host computer 19 which is the record 
{then relies on encryption to protect the session and^provide keeping computer of a financial institution providing trans- 
continuity over tbeseries of pages presented to the user and 55 actions over the internet 11 with users located remotely at 
submitted by the user. This system requires that specialized °f cl ient Personal Computers 21, 23 or 25. Computer 21 
client software-and hardware must be provided at eacn used ma y oe a l a P to P computer connected temporarily to corn- 
location which me ihManLinyention.does not reqwe. munication lines. Computer 23 may be a computer at a 

TnT^sem^inWntion overcomes these inadequacies, ptibhc Ubrai7 mat is available to members of the library for 

problems and disadvantages of the prior art by means of the 60 usc P re P arin g employment resumes and for accessing 

apparatus and method of the invention which is summarized services and information via the internet 11. Computer 25 

below. may be in a home environment and may be periodically 

connected via dial up to the internet. 

SUMMARY OF THE INVENTION End (0 end messa J e ,„ provided f()r ^ 

An advantage of the present invention is that a secure user_65 11 by a secure socket layer (SSL) encryption and decryption 

session can-be ^established between an ^ in each server program in 13 and each browser 

browser at anunsecuredclientr ^program in clients 21, 23 and 25. Thus there is little risk of 
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attack by tapping the phone lines for example. There number of hypertext links 501 through 511 for submission 
remains the risk of attack from the client itself after the SSL back to the server 17. Each submission format will include 
has provided decryption services. As will be described in the token. 

greater detail with respect to FIG. 3 wherein a sample ^ web r slor objcct 2n ^ ^ formatted 

computer is shown, each HTML page is stored m the 5 to ^ ^ pro ^am 201 for transmission to the 

memory of a client to allow forward and backward scrolling. f , « ic j r * n u * j- i !r ! . 

A page can optionally be stored to disk if the user desirel ga ™ y } ™ ■ * * u^r^ * thC 

Accordingly pages containing tokens may be available at the a * honzed u f r - The authorized user at the client, peruses 

client for access by hackers who wish to cause mischief. the P a S e , and provides input by selecting a link item or 

Txr* — u • o . entering information and returns at least a portion of the 

FIG. 2 is a block diagram showing a Common Gateway 10 to server 17 

Interface (CGI) program having a number of routines in the * 6 

form of programmed objects which make up a preferred Wmle ^ user is P cnisin S ^ P a S e > session object 

embodiment of the invention to thwart the above described periodically scans the content of the index entries comparing 

risks. Web Requestor object 211 runs in server 17 and ^ current time ^ me i]mt T stored each index entrv - 

receives requests and data from a server program 201 such 1S If ^ d^™" between the current time t and the stored 

as for example the National Center for Supercomputing ^ T exceeds a predetermined amount M, such as for 

Activities (NCSA) server program example four minutes, the data at the index entry is erased 

The object 211 also sends pages of data to the server on me ground thal me session has **** out * 

program for communication to the client 23, for example. At s f rver 17 > a newIv submitted request is processed by 

An example request and data may be a login with user 20 extractin S toe token, and decrypting it in the session object 

identification and password from a user at client 23 who 217 * ^ s^ 011 ^ s ^e index I content of the token to 

wishes to transfer funds from a savings account to a demand access data slored m the session table 221 at index entry 4, 

deposit account in order to cover purchases about to be made for exam P le » in FIG. 2 for comparison with the remaining 

with a cash card. token content. If the comparison indicates that the stored 

Object 211 receives the login request and passes it to the 25 dala Md the remaining 00016111 are ec * ua1 ' ^ submission is 

customer object 213 which passes it to the host object 215. recognized as being from an authorized user. The other 

The host object 215 passes the user identification and Pinions of the submission are then processed and request 

password to host 19 and receives a OK/NOT OK depending ^°«™tion is forwarded to host 19 for action, 

upon the correspondence of the password to the user identity While host processing is in progress, the session object 

information. If the password and identity information 30 cnaD g es transaction random number Rl and generates a 

correspond, the user is an authorized user and the host 19 new toke n preparation for sending transaction result 

also returns an account list and other practical information information to the authorized user. 

that can be used by the HTML page object 219 to format a In the event that the comparison indicates that the stored 

menu page or form to be sent to the authorized user. The user data aQ d the remaining content are unequal or the stored data 

identity information is passed to the session object 217 35 aas been erased, the submission is recognized as being from 

which sets up a session by generating a session token from an unauthorized user or a user whose session has expired, 

a hash of the identity information, from an index and from T° e other portions of the submission are then processed and 

random numbers R0 and Rl. R0 is the primary random with the page Hbrary 223, used to create a login request page 

number for this session and will not change during the 1° be sent to the user. 

existence of the session. Rl is a transaction random number 40 In another embodiment of the invention, the IP address of 

and it changes every time a new token is generated so that the client used to send the login request is made part the 

tokens are modified during this session in order to provide session table entry. Thereafter this stored IP address is 

randomness and prevent token replay. The identity compared with the IP address from which any submission is 

information, random information R0, Rl and other infor* received. If the IP address from which a submission was 

mation such as an account list and the page transmission 45 received is different from the IP address in the table, even if 

time T are stored in a session table 221 at the index entry I the token is otherwise found to be valid, the submission is 

used to create the token. In an alternate embodiment, to be not considered to be part of a valid session. This further 

explained later in greater detail, an Internet Protocol (IP) embodiment provides another level of session security with- 

address is also stored in the session table index entry. out adding significant processing overhead. 

The token is then returned to the customer object 213 and so FIG. 3 shows an example computer that may be used in 

the web requestor object 211 which sends the token and clients 21, 23 and 25 as well as at gateway 15 and servers 

pertinent account data to the HTML page object 219 for 13 and 17. Personal computer clients typically require less 

layout of a page. The page object 219 retrieves a page extensive resources and less powerful processors than are 

template from the page library 223 and inserts the pertinent required by gateway and server computers, but in other 

account information preparatory to sending the page to the 55 respects tbey are very similar. 

authorized user at client 23. The token is placed into a field The computer comprises the main case 301, a display 303 

that is normally not displayed to a user to avoid the distrac- and a keyboard 305. Inside of case 301 is found, random 

tion that the token would create in the mind of the user. The access and read only memory 309, a central processing unit 

token is also placed in each hypertext link in the page. Thus 307 and input output (I/O) circuits 311. The I/O circuits are 

whenever a request is submitted, it will include a token. It is 60 controlled by programs to in turn control the keyboard 305, 

recognized that in an open architecture client, all informa- display 303 and mass storage in the form of a fixed disk 

tion is accessible with some knowledge and effort, therefore media 313 and a removable disk unit 315. The unit 315 may 

the security of the token does not rely on being hidden from be a magnetic diskette unit or a compact optical disk unit, 

the user. Instead, it is encrypted. Thus there is, for practical Disk media 317 is removably insertable into unit 315. 

purposes, no way that the user or another person with access 65 Various browser programs and or server programs including 

to the client can tamper with the token undetected. FIG. 5 the program 319 in which the instant invention is embodied 

shows a portion of HTML source for a menu page with a may be written onto disk media 313 and/or diskette media 
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317 from which it is loaded into memory 309 to control the At block 411 the formatted HTML page is transmitted 

computer in accordance with the teachings and method of over the internet to the user where it is displayed, soliciting 

the invention. It will be recognized that media is not limited input of transaction selections such as Transfer Funds, 

to storage media but may also be a communication media Customer Service or other transaction. The token is not 

that carries the program of the instant invention to a server 5 displayed in normal operation but exists in each hypertext 

computer like the computer of FIG. 3. link 0fl the page For examp i e) ^ sho wn in FIG. 5, M loken- 

At a client personal computer, each page received from a O1O1DDA110O50B08" appears in hypertext links 501, 503, 

server is stored in memory 309 of a client to allow forward 505) 507f 509 ^ 5U but me lokcns ^ not ff in thc 

and backward scrolling. A page can optionally be stored to of thesc dons ^ nG 6 

disk 313 if the user desires. Accordingly pages containing 1Q While awaid ^ submission of requests in re to 

tokens in accordance with the instant invention will be M *^ n „Ai *u * *u 

available at the client for access by those who wish to cause W he **f° n <*J ecl ««««« ™ the 

mischief. It is for this reason that it is important that there be f 8 "? Uble ■»» b ' ock 413 and «>?P«« tunc J stored 

do need to perform any operations such as decryption or m each ^ **vo* current time t at block 415. If the 

interpretation upon the token at the browser or client. All of ? rrcn ' 1 * much later bv a predetermined amount M 

the unique apparatus if the invention is located at a server 15 than tne stored tiwe T » tbe 86551011 K considered to have 

and can interact with any browser observing current Hyper- timed out and ^ ^ m me entrv ^ erased as depicted in 

tent Transfer Protocol (HTTP) standards. block 417. Such removal of expired sessions from Ine 

OPERATION OF THE INVENTION * until ,he »«« Mission is received 

Referring now to the flow diagram in FIG. 4, the operation 20 When the authorized user makes a selection, the request 

of the invention at a server 17 will be described. At block is submitted to the server at block 421, retaining therein the 

401, the server 17 receives a request for service from an token originally sent out in the HTML page. At the server, 

mternet user. In response to this request, the server sends, at ^ c server program passes the submission through to the 

block 403, a login page to the user. The user enters identity Maaion objcct whcrc me tokcQ fa d d block 423 

tS^^™?.™^^^ 4 mCI T Zcd pa T^ 25 ex P 0SC a ******* field of token ^formation including an 
that can be used to verify that the person who remembered >L V • llM . . ™„ *u A a ♦ u • % 

mepa^wordisanaumorLduser.Theuserthensubmitsthe md «- * ^ * a ~f| ^ sorcd oken infor- 

login page at block 405. At block 406, the host 19 has matl ° n a ' J** ^ k stored .UteD mfomttlion is com- 

verified correspondence between the ID and password and at at block * 27 ™ th & c »«wed token information and 

block 407, the session object 217 generates a token as * honorcd ^ * ^ storcd ^ received token 

described earlier with respect to FIG. 2. 30 mfonnahon are equal to each other indicating that the 

The token can be represented by the expression: received token is a valid unexpired token. Although the 

index portion of the token information is not itself stored in 

E*(fflT>),R,t) ^ e ^55]^ tabj^ mc m dex is used to access the session table 

where E subscript k is thc encryption using the encryption and therefore, if the index is not the same as was sent in an 

key k of the argument value in the parentheses. f(ID) is a 35 outgoing token, an incorrect session table entry will be 

function such as a hash function of the users identity accessed and it will not compare equal to the remainder of 

information. R is a random number and I is the index to an the decrypted token. 

entry in the session table 221. It will be recognized that the If the token is found to be valid at block 427, tbe 

items in the parentheses of the above expression are not transaction is forwarded to the host object for processing at 

crucial to the invention but that other values serving equiva- 40 block 429 and a new token is generated at block 407 to be 

lent functions can be substituted therein. For example the sent to the authorized user with the response page at block 

token must exhibit randomness to avoid predictability and 409. 

therefore any value that exhibits a form of randomness may If the token is found to be invalid, or in the alternate 

be substituted for the value R. In one embodiment, a session embodiment of block 431, if the token was received from an 

random number R0 and a transaction random number Rl are 45 IP address other than stored in the session table, the request 

placed in the parentheses. Rl is changed for each page but is not processed but a login menu is sent to the user at block 

R0 remains the same until the session ends. By comparing 403 so as to determine if the user is an authorized user as was 

only R0 to the corresponding R0 stored in the session table previously described with respect to these blocks 403 and 

at index I, earlier pages can be used by a user to send in 405. 

requests. If it is desired to limit requests to those from the 50 During a session, multiple pages will be in existence at a 

latest page, both R0 and Rl are compared with correspond- client. In some instances, a user may make a selection from 

ing stored values to limit an incoming submitted token to the a much earlier page. Each page contains a token that is 

latest token. The token is generated by first combining the generated from the same session table entry but each token 

values of the variables in the parentheses into a multi-byte is further randomized by including another random number 

field which is then encrypted using an algorithm such as the 55 Rl in the value encrypted. In the preferred embodiment, Rl 

DES algorithm. In addition, the values of the variables used is not made part of the comparison to validate the token, 

to generate the token and the then current time T, are stored Therefore a user need not submit requests only from the 

in the session table at the index location. In one alternate latest page. 

embodiment, an internet protocol (IP) address is also This operation is shown more clearly in FIG. 7 where a 

included in the session table entry. The inclusion of the IP 60 session login is received at block 711 and a token is 

address allows a valid token coming from a different address generated at block 713 using an R0 and an Rl. It is sent in 

to be recognized as possibly being used by an un-authorized a page one at block 715 and received in a request at block 

717. Assuming the returned token is thc same as the gen- 

The token is combined at block 409 into an HTML page crated token, a modified token is generated at block 719 

by being placed into a hidden or other normally non- 65 using R0 and anew transaction random number R2. It is sent 

displayed field of a page by the HTML page object shown in page two at block 721. A request two is received but it 

in FIG. 2, may have been a link from page one. The request two token 
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is decrypted and the session random number RO is compared 
at block 727 to the RO stored in the session table as describer 
earlier. If it is desired to limit requests to those linked from 
the latest page, that is page two, then path 729 is followed 
and the compare of Rl with R2 is made at block 731. The 5 
session is ended at block 735 because an old page was used. 
In the alternative, if the user is allowed to use earlier pages, 
block 731 is bypassed and request two is processed at block 
733 because the session random number RO was the same as 
stored in the session table at index I. io 

Of course, many additional modifications and adaptations 
to the present invention could be made in both embodiment 
and application without departing from the spirit of this 
invention. For example, although an object oriented pro- 
grammed server computer is the current preferred is 
embodiment, a fixed embodiment or an alternate program- 
ming architecture may be used. Likewise other encrypting 
algorithms may be chosen to protect the token from reverse 
engineering at an unsecured client. Accordingly, this 
description should be considered as merely illustrative of the 20 
principles of the present invention and not in limitation 
thereof. 

We claim: 

1. Method of managing a user session on a network 

comprising the steps: — — — ^ 25 

A)^receivingat JTserw, jiser-uoique informationfirorr? a 
^use-r-at-a-client; 



B) generating at said^^rver^from-said" user-unique 
mfor™tion,~a:sessio'nTtoken; " ' ^' 

C) ( storag^said^ession token~at^said seryer; 

D) j#mbiriing jaja^se^pnjoken jntojijj^page; 

E) ^fransmitting saioVfirst pagiejo_said_client :for displaylb 
N said user and for input from said user; — " " " 

Fj^ jecei ving r first subroitted.requestat said :server;z^ 

G) coraparingj^submitted session token fronr said first 
submitted request with said session tokenat said server 

OoJtotify^said-first-submitt^^ from 
said user, ~~ "~ — ^ "' 

H) processing said submitted request and preparing a 
second page; ^^^^ 

^generating Jfom^^ 

fied token; ^ — 

J). storing said modified token at said server; 
K) combining said modified token into said second page; 
L) transmitting said second page to said client for display 

to said user and for input from said user; 
M)-rcceiving a second subraittedrequest :at:said:server; 
N) comparing a secolid submittedjtoken from.said second 

subWt^7ra3U(^t^w"^ 

sej^er. to idenuTy. said' second submitted request as 
being from said user in a same session as said first page 
and .said first submit ted " request; : : :: : — : 1 — ~^ 
2. The-method of claim 1 wherein said step B) further 
comprises the steps: 

assembling an argument including at least part of said 
user-unique information and session random informa- 
tion; 

encrypting said argument to create said session token; 
and wherein said step I) further comprises the steps: 
assembling another argument including at least part of 
said user-unique information, said session random 
information and second random information; 
encryptmg^sjudjmoto said modified 

token. 7l~r7~"" "~ ^ " 
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3. The method of claim 2 wherein said comparing step N) 
further comprises the steps: 

retrieving saidsecpnd submined^essjonjoken.from-said^^ 

^sccond^bmltedlrcquest; ~~~ ~~~ " ~~~~~~ 

dtCTypJmg~saiahs^^ 
sutoi1^d"argument;r3 I ^-— r 

comparmg_said_submitted^argument^th-said^anp^her^ 
^argument; ~~ ~~~ " — 

d^termining"that said:second :submitted:reo,m»X-ktfrdm 
said u ser i f session ra ndom information in said sub- 
imitte"d argument is equal to session randarnjnforoation 
m f said-another-argument at said server 

4. TCe'method of ^laim^^whercin.said arguments com- 
prise: ^^^^^-^ 

said user-unique information, said sessionTandom infor- 
mation and index information, said index information 
being an index into a session table where said user- 
unique information and said session random informa- 
tion is stored at said server, said tokens being generated 
by encrypting a concatenation of said at least part of 
said user-unique information, said session random 
information and said index information. 

5. The method of claim 2 wherein each of said arguments 
comprise: 

a hash of said user-unique information, said session 
random information and index information, said index 
information being an index into a session table where 
said user-unique information and session random infor- 
mation is stored at said server. 

6. The method of claim 5 wherein each of said tokens is 
generated from a same session table entry and a time of 
transmission is stored with each entry in said session table. 

7. The method of claim 6 further comprising the steps: 
processing a submitted form and preparing a third page; 
changing said second random information in said session 

table entry; 

generating from said session table entry, a third token; 

combining said third token into said third page; 

transmitting said third page to said client for display to 
said user and for input from said user; 

receiving a submitted form at said server node; 

comparing a submitted session token from said submitted 
form with said session token at said server node to 
identify said submitted form as being one of said first 
page, said second page and said third page from said 
user in the same session as said first page, said second 
page and said third page. 

8. The,method-otclaim-6 furmercompnsing the steps: 
fco^ariag-acuaent-timt -wil^jim^sto^'^th'~said 
^session table entry at said server; J ~^ 

erasing said stored^ession table entry when a difference 
between said current time and said time stored with 
said session table entry exceeds a predetermined time. 

9. The method of claim 8 further comprising the steps: 
sending^uponjreceipt -from said user of a request which is 
Qrom a page for which a session table entry is nol.found, 

a page soliciting^rej^bmission of-said -user-unique 
mformation;"^^! 
generating frbm_said user-um^u^mfonnation,3fiotBer 
session" token; 

combining said another session tokelTihtosaidpage for 
^which- a sessioif table entr^ was ^noTfound; 
transmitu'ng'said page fotwhich a session table entry was 
knotjound to jaid ch^Cforjhspjay to said^Lserand^for 
input -from. said user. 
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10. A computer program product for use in a data pro- 
cessing system, the computer program product comprising: 

a computer useable medium having computer readable 
program code embodied therein for managing a user 
session, said computer program product including: 

generating means for responding at a server to user- 
unique information from a user at a client and gener- 
ating from said user-unique information, a session 
token; 

means for combining said session token into portions of 
a first page; 

means for transmitting said first page to said client for 
display to said user and for input from said user; 

means for receiving a first submitted request at said 
server; 

means for comparing a submitted session token from said 
first submitted request with said session token at said 
server to identify said first submitted request as being 
from said user, 

means for processing said first submitted request and 
preparing a second page; 

means for generating a modified token from said session 
token by including a transaction random number in said 
token; 

means for combining said modified token into said second 
page; 

means for transmitting said second page to said client for 
display to said user and for input from said user; 

means for receiving a second submitted request at said 
server; 

means for comparing a submitted session token from said 
second submitted request with said modified token at 
said server to identify said second submitted request as 
being from said user in a same session as said first page 
and said first submitted request. 

11. The computer program product of claim 10 wherein 
said means for comparing further comprises: 

means for retrieving a submitted session token from a 
submitted request; 

means for decrypting said submitted token to retrieve a 
submitted argument; 

means for comparing said submitted argument; 

means for determining that said submitted request is from 
said user in a current session if a submitted session 
random number in said submitted argument is equal to 
a session random number in an argument from which 
tokens are being generated for said current session at 
said server. 

12. The computer program product of claim 10 further 
comprising: 

means for processing a submitted request and preparing a 
subsequent page; 

means for generating a modified token from said argu- 
ment by including a transaction random number in said 
token; 
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means for combining said modified token into a subse- 
quent page; 

means for transmitting said second page to said client for 
display to said user and for input from said user; 

means for receiving a subsequent submitted request at 
said server; 

means for decrypting a submitted token from said second 
submitted request to retrieve a submitted argument; 
10 means for comparing said second submitted argument 
with said argument at said server to identify said 
submitted request as being from said user in a same 
session as said page and an earlier submitted request. 

13. A server data processing system for managing a 
15 session with a client data processing system comprising: 

means for generating a taken from token arguments, said 
token arguments including user-unique information, a 
session random number and a page random number, 
20 said page random number being different for each page 
causing said token to be different for each page; 

means for transmitting said token to said client data 
processing system as part of each page; 

means for storing at said server data processing system, 
25 said token arguments and a time of transmission of a 
page; 

means for comparing a session random number, from a 
submitted token received at said server data processing 

30 system in a submitted request from a client data pro- 
cessing system, with a session random number stored at 
said server data processing system, said submitted 
token being a token from any of said each page; 
means for determining that said submitted request is part 

35 of an existing session when said submitted session 
random number compares equal to said session random 
number stored at said server data processing system. 

14. The server of claim 13 further comprising: 

40 means for periodically testing said time stored with said 
token arguments and removing said stored token argu- 
ments from storage at said server data processing 
system when a difference between a current time and 
said time stored with said stored token arguments 

45 exceeds a predetermined value. 

15. The server of claim 14 further comprising: 
session table means for storing said token arguments, said 

token arguments further including index information; 

5Q said means for comparing further comprising means for 
using index information, from a submitted token 
received at said server data processing system in a 
submitted request from a client data processing system, 
to address an entry in said session table means and 

55 retrieve stored token arguments when said stored token 
arguments have not been removed by said means for 
periodically testing. 
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